Manuel BisseyWebRat malware spreads via fake GitHub exploit repos — attackers are poisoning trust in open source to deliver payloads. Verify before you clone. 🧩⚠️ #OpenSourceSecurity #MalwareCampaign
Josh BressersOn a very special Christmas episode of #OpenSourceSecurity I asked Daniel Thompson-Yvetot how the #CRA will impact Santa Claus
I meant the episode to be silly, just in time for Christmas, but I think I learned more from Daniel in those 50 minutes than I have in the last 3 years reading about CRA
It's an amazing episode filled with things to learn, and even some silly ideas :)
Also, Daniel has a new book you can enter a drawing for, instructions are at the end of the show
https://opensourcesecurity.io/2025/2025-12-daniel-cra-santa/
Daniel Thompson answers: Does the CRA apply to Santa?
Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he’s giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It’s an incredibly informative discussion.
OpenSSFOpenSSF-funded improvements to Sigstore’s rekor-monitor are making transparency logs easier to monitor for malicious package releases and identity misuse.
Great work by @trailofbits, with support from the sigstore maintainer community including Hayden Blauzvern and @mihaimaruseac.
🔗 https://openssf.org/blog/2025/12/19/catching-malicious-package-releases-using-a-transparency-log/
SyftWe're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=EuEocYRN4ag
GrypeWe're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=EuEocYRN4ag
Reddit Tech VN Bot🔥 Watchtower bị lưu hồ sơ, nhà phát triển chia nhánh (fork) phổ biến. Một cuộc thảo luận về bảo mật đã bị khóa và xóa, người dùng đăng bài cũng bị chặn. Hành động này là **lời cảnh báo** về tính minh bạch của dự án có yêu cầu quyền hệ thống cao. Kiểm tra kỹ trước khi sử dụng.
Beth PariseauBelieve it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
Only strictly verified and digitally signed source code is allowed in Kicksecure, blocking execution of unauthorized or tampered software.
#Kicksecure #DigitalSignatures #SecureSupplyChain #SoftwareIntegrity #OpenSourceSecurity
SCA ToolLicense clearance: the cheat code for surviving open source Minesweeper. #LicenseClearance #OpenSourceSecurity
🎙️ New What’s in the SOSS podcast episode is out!
NYU professor Justin Cappos from @nyutandon discusses teaching software supply chain security in academia, the role of open source, and how to better prepare the next generation of developers.
🎓 Learn more about the Academic Computing Accreditation Program:
https://www.linuxfoundation.org/academic-computing-accreditation